VDB
KO
MEDIUM 5.6

GHSA-89p7-7cq3-hhr2

rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection

Details

`rm -rf .` is correctly refused, but `clean_trailing_slashes` normalizes `.///` to `./` while `path_is_current_or_parent_directory` only matches `.`/`..` (and `/.`/`/..`), not `./` or `../`. So `rm -rf ./` recursively deletes the directory's contents and then prints a misleading `cannot remove './': Invalid input`.

**Impact:** all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in `path_is_current_or_parent_directory`.

**Remediation:** Acknowledged by Canonical; fixed in commit d0e5af23.

--- _Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.60. Credit: Zellic._

_Upstream tracking issue: https://github.com/uutils/coreutils/issues/9749 · CVE-2026-35363_

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / uu_rm
Introduced in: 0 Fixed in: 0.6.0

Upgrade uu_rm to 0.6.0 or newer (ecosystem crates.io).

References